Getting Data In
Highlighted

Who is sending to my heavy forwarder?

Explorer

I'm getting a lot of parsing errors on my heavy forwarders ...Failed in pcreexec: Error PCREERROR_MATCHLIMIT... but I don't know how to tell where the event is coming from (what host) that is getting the error. My HWFs are very busy and have many source devices sending events. If I knew how to associate this error with an incoming event, I think I could figure this out. Tcpdump might work but the environment is too noisy to make sense of the data. Has anyone had any experience tracking down a host?

0 Karma
Highlighted

Re: Who is sending to my heavy forwarder?

Influencer

@w199284 Did you check in _internal index ,make sure your role has access to internal index. The host field should give you the information.

index=_internal sourcetype=splunkd  PCRE_ERROR_MATCHLIMIT*
0 Karma
Highlighted

Re: Who is sending to my heavy forwarder?

SplunkTrust
SplunkTrust

Review the transforms.conf files on the HF for regular expressions that use wildcards. One of the expressions is matching more than the HF can handle.

---
If this reply helps you, an upvote would be appreciated.
0 Karma